From c399f66db5eefaecce065d4f5ea7dcc725b8e106 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Thu, 21 Dec 2017 17:41:42 +0100 Subject: Improve a bit the documentation wrt. limitations --- doc/source/config.rst | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'doc/source/config.rst') diff --git a/doc/source/config.rst b/doc/source/config.rst index ceb23bb..5e323db 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -322,7 +322,7 @@ The ``param`` filter is also able to do some dereferencing: The ``filename`` filter requires a leading ``/``, since paths are absolutes (like ``/var/www/mywebsite/lib/parse.php``). If you would like to have only one configuration file for several vhost in different folders, -you can use the the ``filename_r`` directive to match on the filename (like ``/lib/parse\.php``). +you can use the ``filename_r`` directive to match on the filename (like ``/lib/parse\.php``). For clarity, the presence of the ``allow`` or ``drop`` action is **mandatory**. @@ -333,9 +333,22 @@ For clarity, the presence of the ``allow`` or ``drop`` action is **mandatory**. more narrowed way later, the call will be denied, because it'll match the deny first. -If you're paranoid, we're providing a php script to automatically generate -hash of files containing dangerous functions, -and blacklisting them everywhere else. +If you're paranoid, we're providing a `php script +`__ +to automatically generate hash of files containing dangerous functions, and +blacklisting them everywhere else. + +Limitations +^^^^^^^^^^^ + +It's currently not possible to: + +- Hook every `language construct `__, + because each of them requires a specific implementation. +- Hook on the return value of user-defined functions +- Use extra-convoluted rulesfor matching, like ``${$A}$$B->${'}[1]``, because if you're writing + things like this, odds are that you're doing something wrong anyway. + Examples ^^^^^^^^ -- cgit v1.3